On September 1, 2017, Innovation, Science and Economic Development Canada (formerly Industry Canada) released the proposed text for Regulations to govern mandatory breach reporting and notification under Canada's federal privacy legislation, PIPEDA. The proposed text is accompanied by a detailed Regulatory Impact Analysis Statement (RIAS), and indicates that publication of the text initiates a 30 day comment period.
Mandatory data breach reporting and notification at the federal level was introduced with amendments to the federal private sector privacy law (PIPEDA) enacted by the Digital Privacy Act (Bill S-4). Bill S-4 came into force on June 18, 2015, but the new breach reporting and notification provisions will not come into effect until regulations are passed to govern the new requirements.
Under PIPEDA's mandatory reporting and notification regime, organizations that experience a data breach must report the incident to the Office of the Privacy Commissioner of Canada (the Commissioner) and notify affected individuals. Notification is required in all circumstances where it is reasonable to believe that the breach creates a "real risk of significant harm to the individual", which is defined to include humiliation, damage to reputation or relationships, and identity theft.
PIPEDA indicates that the notice must be given in the "prescribed format", which is now outlined within the proposed Regulations. The proposed Regulations do not impose any surprising or unexpected requirements regarding the form of notification. The Regulations anticipate that the report to the Commissioner and notification to affected individual will contain:
- a description of the circumstances of the breach (and in the case of the report to the Commissioner, if known, the cause);
- the day on which, or period during which, the breach occurred;
- a description of the personal information that is the subject of the breach;
- a description of the steps that the organization has taken to reduce the risk of harm to the affected individual resulting from the breach or to mitigate that harm;
- a description of the steps that the affected individual could take to reduce the risk of harm resulting from the breach or to mitigate that harm (and in the case of the report to the Commissioner, a description of the steps the organization has take to reduce the risk of harm).
For the notification to individuals, the organization must provide a toll-free number or email address for the affected individual to obtain further information, and must provide information about the organization's internal complaint process and the affected individual's right to file a complaint with the Commissioner.
For the report to the Commissioner, the organization must provide an estimate of the number of individuals in respect of whom the breach creates a real risk of significant harm, a description of the steps that the organization has taken or intends to take to notify each affected individual, and the name and contact information of a person at the organization who can respond to questions about the breach.
The proposed Regulations also prescribe the manner of notifying individuals, which is to be given directly to the individual unless an exception applies that would allow for indirect notification. The Regulations indicate that direct notification can only be provided by email "if the affected individual has consented to receiving information from the organization in that manner". The Regulations do not define the form of "consent" that is required for the sending of such emails and whether consent may be "implied" or whether organizations will need "explicit" or express consent. Direct notification may also be given by letter, telephone or in person.
Indirect notification is to be given if any of the following circumstances exist: the giving of direct notification would cause further harm to the affected individual; or the cost of giving of direct notification is prohibitive for the organization; or the organization does not have contact information for the affected individual or the information that it has is out of date. Where indirect notification is used, it must be given either by a conspicuous message, posted on the organization's website for at least 90 days or by means of an advertisement that is likely to reach the affected individuals.
While the PIPEDA breach reporting and notification requirements are similar to the regime that exists in Alberta and relatively unsurprising in terms of their requirements, Bill S-4 also introduced a "data breach record-keeping" requirement that is unique within Canada. The provision requires organizations to keep and maintain a record of every breach of safeguards involving personal information under their control (whether or not notifiable) and to provide the Commissioner with such records on request.
This record keeping obligation is of significant concern to large organizations who are subject to frequent security intrusions and would not keep any record of these incidents in the normal course. The RIAS indicates that the proposed Regulations "confirm the scope and retention period for data breach record-keeping". However, the proposed Regulations provide only that records of breaches of security safeguards must be kept for 24 months and must contain any information pertaining to the breach that enables the Commissioner to verify compliance with breach reporting and notification obligations.
Organizations that detect and deter hundreds or possibly thousands of security incidents annually will experience obvious difficulties in complying with the record keeping requirements, and can be expected to provide significant feedback and comment on this aspect of the proposed Regulation during the Gazette comment period.